1. Field of the Invention
This invention pertains in general to computer security and in particular to detecting buffer overflow attacks initiated by viruses, worms, and other types of malicious computer software.
2. Description of the Related Art
Many computers are susceptible to a type of attack called a “buffer overflow attack.” Malicious software, such as a computer virus or worm, can initiate this attack by exploiting a flaw in legitimate software, such as an operating system, executing on the computer. Typically, the flaw involves an operation where the legitimate software reads a data value into a memory buffer allocated for storing the value. If the legitimate software fails to check whether the data value fits within the buffer, the data value can overflow the buffer and overwrite other computer memory.
Malicious software exploits this flaw by sending specially-crafted malicious data values to the legitimate program. The malicious data overflows the buffer and inserts malicious code into the computer's memory. In one attack, the malicious data overwrite an address in the stack. In another attack, the malicious data overwrites pointers to functions that the legitimate software uses to maintain the memory heap. Both of these attacks cause the computer to execute the inserted malicious code.
The malicious code launched by a buffer overflow attack is usually stored in a region of computer memory intended to hold non-executable data. Therefore, one way to detect buffer overflow attacks is to determine whether the computer is executing code held in a memory region designated for executable code or non-executable data. To this end, some computer processors have built-in technology for invoking an exception if code to be executed is held in a non-executable memory region. Software applications can also determine whether code is in a non-executable region.
A significant problem with the buffer overflow detection techniques described above is that they often provide false positive detections of attacks. There are many legitimate programs, such as Just-In-Time compilers, that execute code stored in non-executable memory regions. These false positive detections are undesirable because they can interfere with the normal operation of the computer and confuse end-users.
Therefore, there is a need in the art for a way to detect buffer overflow attacks while reducing the number of false positive detections made by conventional techniques.